Corporate directors need to understand and approach cyber security as an enterprisewide risk management issue, not just an information technology issue, says the Washington-based National Association of Corporate Directors in a handbook issued Wednesday.
“Cyber-Risk Oversight,” published in collaboration with American International Group Inc. and the Arlington, Virginia-based Internet Security Alliance, says another step corporate boards should consider is understanding the legal implications of cyber risks as they relate to their company’s specific circumstances.
Corporate board should also:
• Have adequate access to cyber security expertise, and give regular and adequate time on the board meeting agenda to cyber risk management.
• Set the expectation that management will establish an enterprisewide cyber risk management framework with adequate staffing and management.
• Include which risks to avoid, accept, mitigate or transfer through insurance in board management discussions of cyber risk identification, as well as specific plans associated with each approach.
The handbook states also that cyber security cannot be considered in a vacuum and members of management and the board “must strike the appropriate balance between protecting the security of the organization and mitigating downside loses, while continuing to ensure profitability and growth in a competitive environment.”
The handbook also warns that although some organizations feel they are unlikely to be the victims of a cyber-attack because they are relatively small or do not hold substantial amounts of sensitive data, such as credit card numbers or medical information, “cyber criminals target companies of all sizes and from every industry, seeking anything that might be of value.”
Experts have warned that board members and management should be prepared for directors and officers’ liability-related litigation that is certain to follow a major cyber breach.